The massive China-based hack of federal employees' data may be only the beginning

An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho September 29, 2011.
REUTERS/Jim Urquhart
WASHINGTON (AP) — A giant hack of millions of government personnel files is being treated as the work of foreign spies who could use the information to fake their way into more-secure computers and plunder U.S. secrets.

Federal employees were told in a video Friday to change all their passwords, put fraud alerts on their credit reports and watch for attempts by foreign intelligence services to exploit them. That message came from Dan Payne, a senior counterintelligence official for the Director of National Intelligence.

"Some of you may think that you are not of interest because you don't have access to classified information," he said. "You are mistaken."

Federal officials said Friday the cyberattack appeared to have originated in China, but they didn't point fingers directly at the Chinese government. The Chinese said any such accusation would be "irresponsible and unscientific."

"We know that the attack occurred from somewhere in China, but we don't know whether it was an individual or a group or a nation-state attack," said Rep. Jim Langevin, a Rhode Island Democrat and leading voice in Congress on cybersecurity. He added, though that it had "all the hallmarks of a nation-state attack."

U.S. President Barack Obama (R) meets China's President Xi Jinping, on the sidelines of a nuclear security summit, in The Hague March 24 2014.
REUTERS/Kevin Lamarque
White House spokesman Josh Earnest said he couldn't divulge much while the case was under investigation. Still, he noted that investigators "are aware of the threat that is emanating from China."

One U.S. official said the breach of data involving more than 4 million past and present federal workers was being investigated as a national security matter. That suggests authorities believe a nation was behind it rather than a more loosely organized gang of cybercriminals. The official was not authorized to discuss an ongoing investigation and spoke only on condition of anonymity.

Advertisement

The breach was an embarrassing showing for the U.S. government's vaunted computer-defense system for civilian agencies — dubbed "Einstein" — which is costing $376 million this year alone. It's supposed to detect unusual Internet traffic that might reflect hacking attempts or stolen data being transmitted outside the government.

A wide range of information is prized by spies — classified military secrets but also economic strategy and internal foreign policy debates.

This latest breach occurred in December but wasn't discovered until April, officials say. It was made public Thursday.

"The scale of it is just staggering," said Rep. Adam Schiff, D-Calif., top Democrat on the House Intelligence Committee. There's no telling how many more attacks could be spawned by the information stolen in this case, he said.

Although most Americans think of identity thieves stealing from credit card or bank accounts, the information about civilian federal workers has other value for spies.

"They're able to identify people who are in positions with access to significant national security information and can use personal data to target those individuals," said Payne, the counterintelligence official.

He said details from personnel files could be used to craft personalized phony messages to trick workers. Federal employees who think they're opening an email from co-workers or family members might infect their computers with a program that would steal more information or install spy software.

Spies also could use details about an employee's interests or background to befriend them and try to manipulate them into revealing secrets.

A Department of Homeland Security worker listens to U.S. President Barack Obama talk at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, January 13, 2015.
REUTERS/Larry Downing

Kevin Mitnick, a former hacker who now runs Mitnick Security Consulting of Las Vegas, called confidential details about federal employees "a gold mine."

Advertisement

"What's the weakest link in security?" Mitnick said. "The human. Now you know all about your target."

The hackers may have made off with even more information about workers who undergo security clearance background checks. That information includes the names of family, neighbors, even old bosses and teachers, as well as reports on vices, arrests and foreign contacts.

However, OPM spokesman Samuel Schumach said there was no evidence to suggest that security clearance information collected by OPM was compromised. It's stored separately from routine personnel files, he said.

"The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, job assignments, training files, performance ratings and current and former addresses," Schumach said in an email.

U.S. President Barack Obama delivers remarks at the National Cybersecurity and Communications Integration Center (NCCIC) on January 13, 2015 in Arlington, Virginia.
Kristoffer Tripplaar-Pool/Getty Images
The breach occurred at a network maintained by the Department of Interior, which also houses the personnel agency's files. Schumach said agencies share computer systems partly to save money — and it's also supposed to strengthen security.

Security experts said the hackers may have gone after the personnel agency because it's an easier target than the Pentagon or National Security Agency.

Advertisement

Private cybersecurity researchers said they believe the personnel agency was targeted by the same hackers who got into the Anthem and Primera health insurance groups last year.

John Hultquist, head of cyberespionage intelligence at iSight, said the Dallas-based security firm had found evidence linking the insurance and government attacks, but declined to say whom they suspect. "We think they are creating a database they can leverage for follow-on espionage," Hultquist said.

2Lt William Liggett works at the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado.
REUTERS/Rick Wilking
A spokesman for the Director of National Intelligence declined to discuss whether there was evidence against China or whether intelligence agency employees were among those whose information was compromised.

U.S. investigators have improved their ability to attribute cyberattacks in recent years, officials said, and Chinese attacks often have identifiable signatures.

The Homeland Security Department noted that the Einstein defenses were just one part of the government's cybersecurity, and said it was used to confirm the breach. But that's like a smoke alarm sounding after the house burned down.

Advertisement

Einstein also helped understand how the break-in happened and protect against a repeat of a similar attempt.

"It didn't fare so well," said James Lewis, a leading cybersecurity expert at the Center for Strategic and International Studies, a Washington think-tank. "It's only a victory if you defeat the opponent, and we didn't."